A point-of-sale (POS) terminal is the device through which a retail transaction is made, i.e., the device at which a customer makes a payment to a merchant in exchange for goods or services. POS terminals generally include credit card readers, and store credit card information in their memories.
Credit card data is formatted in accordance with ISO/IEC 7813. The magnetic strip of a credit card has three data tracks. Payment cards use Track 1 and Track 2. The Track 1 standard is recorded at 210 bits per inch and contains 79 alphanumeric characters, as shown in TABLE I below.
TABLE ITrack 1 StandardTrack FieldTrack ValueSSstart sentinelFCformat code (B or b)PANprimary account number (up to 19 digits)FSfield separatorCNcardholder name (up to 26 characters)FSfield separatorEDexpiration date (YYMM)SCservice codeDDdiscretionary date (may include PIN)ESend sentinelLRClongitudinal redundancy check
A PAN may be validated using the Luhn algorithm. Exemplary credit card data formatted in accordance with the 1 standard is
TABLE IIExemplary Credit Card DataTrack FieldTrack Value%startBformat code (B = bank)5874390765438112primary account number{circumflex over ( )}separatorDOElast name/name separatorJOHNfirst name{circumflex over ( )}separator11expiration year03expiration month101service code (3 digits)000000001000000003000000discretionary data?end
Credit cards are processed by POS terminals in three stages. At stage one, credit card information for a transaction is stored as plain text in random access memory (RAM) of a POS terminal. At stage two, data for the transaction is stored for a short period of time, until data is batch transmitted to a credit card company. Partial data is stored for a longer period of time for recording in a log file or database. The stage two data is encrypted. At stage three, data for transactions is batch transmitted over an internal local area network (LAN) or wide area network (WAN) and then over an external Internet. The transmitted data is encrypted.
POS terminals are susceptible to intrusion by attackers. The stage one data, which is not encrypted, is especially exposed. Attackers use “RAM scrapers” to extract credit card information from RAM of POS terminals. RAM scrapers operate by examining a list of processes running on a POS terminal and inspecting the POS memory for data that matches the format of credit card data, including an account number, expiration date, and other information stored in a card's magnetic strip. RAM scrapers are injected into running processes, and intercept sensitive data from memory before it is encrypted. An attackers' goal is to steal the data stored on the magnetic strip of credit cards, clone the cards, and make charges to the credit card accounts.
POS RAM scrapers generally use regular expression (“regex”) matches to search for Track 1 and Track 2 credit card data from a process memory space in RAM of a POS terminal. An example of a regex for discovering Track 1 data is{circumflex over ( )}%([A-Z])([0-9]{1,19})\{circumflex over ( )}([{circumflex over ( )}\{circumflex over ( )}]{2,26})\{circumflex over ( )}([0-9]{4}|\{circumflex over ( )})([0-9]{3}|\{circumflex over ( )})([{circumflex over ( )}\?]+)\?$
Depending on the complexity of the regex, a RAM scraper may also unintentionally capture garbage data from RAM in addition to legitimate card data, and POS RAM scrapers apply the Luhn algorithm to validate the card data prior to exfiltration.